Perplexity Comet UXSS (www.hacktron.ai)

Security shop Hacktron disclosed a chained UXSS (Universal Cross-Site Scripting) in Perplexity’s Comet browser extension built on Chromium. The chain started with a permissive manifest (externally_connectable set to https://*.perplexity.ai/*) that let any subdomain message the extension, combined with a DOM XSS on a subdomain (Cloudflare WAF was bypassed). Message handlers exposed privileged actions: RUN_IDLE_TEST invoked chrome.debugger.sendCommand DOMSnapshot.captureSnapshot (returning serialized DOM via snapshotHtml/snapshotAxTree and even allowing file:// URIs), and CALL_TOOL / startAgentFromPerplexity opened arbitrary pages and executed backend-supplied selectors via a websocket-backed agent. Together these allowed reading cross-origin and local data and automating arbitrary in-page actions (PoC: reading Gmail and altering a Perplexity username). Perplexity patched the issue within 24 hours after Hacktron’s Aug 19 report and awarded a $6,000 bounty; Hacktron released CLI agents that detect React/XSS footguns and extension pitfalls. For the AI/ML and extension development community this is a practical reminder that composability and agentic tooling create complex state machines that evade simple checks. Key takeaways: avoid wildcard externally_connectable entries, validate external messages and backend-supplied selectors, never serialize/send full DOM snapshots to untrusted contexts (or allow file://), limit use of privileged chrome.debugger APIs, and continuously scan subdomains for DOM XSS. AI agents can speed discovery and triage, but expert human review remains essential for assembling and mitigating multi-step exploit chains.